telnet from routed ip subet to asa 5580

Unanswered Question
Feb 5th, 2009
User Badges:

Hi,


I am trying to telnet and ssh to the asa from the inside routed subnet, then its not happening. but when i do telnet from the directly connected subnet of the asa it works.


does its the constraint of asa or anything can be done on this?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Thu, 02/05/2009 - 09:25
User Badges:
  • Green, 3000 points or more

It all depends how you have configured in asa to allowing sources for ssh and telnet.


can you post the output of


show run | inc telnet

show run | inc ssh


(edit)

as well as provide the source ip of your routed subnet ou are telneting from usually you can see the error and source IP in ASDM..


If you could provide this info we could assist better.


Regards


santoshm_75 Thu, 02/05/2009 - 20:06
User Badges:

Hi,


Please find the configuration of the firewall. The routed network from the inside zone is 10.205.41.0/25. The hos t ip address in this subnet is 10.205.41.101


route Internal_Firewall 10.205.41.0 255.255.255.128 10.205.40.39 1



aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server



http server enable

http 10.205.41.160 255.255.255.248 Admin_zone

http 10.205.41.0 255.255.255.128 Internal_Firewall


telnet 10.205.41.160 255.255.255.248 Admin_zone

telnet 10.205.41.0 255.255.255.128 Internal_Firewall

telnet timeout 30

ssh 10.205.41.160 255.255.255.248 Admin_zone

ssh 10.205.41.101 255.255.255.255 Internal_Firewall

ssh timeout 5

ssh version 2


Please find the access log of the same activities attached for your reference.


Regards





Attachment: 
JORGE RODRIGUEZ Fri, 02/06/2009 - 10:23
User Badges:
  • Green, 3000 points or more

Im not clearly geting your logical setup in relation to where you are trying to ssh from and to , also there seems to be a TCP RESET-I which tells me you are not initiating the ssh towards the right firewall interface, or Im missing something.


You have

route Internal_Firewall 10.205.41.0 255.255.255.128 10.205.40.39 1


but looking at your logs:

Inbound TCP connection denied from 10.205.41.101/3392 to 10.205.41.165/80 flags SYN on interface Internal_Firewall


you are trying to http from 10.205.41.0/25 network by source 10.205.41.101/25 to firewall interface or destination IP 10.205.41.165/29 which if Im not mistaken 165 could be an interface IP address of firewall for network 10.205.41.160/29


if you want to ssh/telnet/https to the firewall from a hosts behind a routed network through one of your firewall interfaces those hosts have to telnet/ssh/or https to towards the interface in the firewall they reside under.


Meaning , if 10.205.41.101/25 wants to ssh/http/telnet to firewall it needs to do it towards the firewall interface ip this network is being routed under. The same applies for sources under 10.205.41.160/29 telneting or ssh through firewall interface they are under.



santoshm_75 Sat, 02/07/2009 - 01:37
User Badges:

Hi,


I am not trying to telnet/ssh/hhtp to the management interface but i am trying to the interface which is connected to the routed interface. The ip address is 10.205.40.38/28, this is the inside interface of the firewall getting connected to the network where in the routed area 10.205.41.101/25 exists.


When i telnet to the internal interface of the firewall it drops the connection.


Regards,

Tshi M Mon, 02/09/2009 - 05:01
User Badges:
  • Silver, 250 points or more

Hi,


I am a bit confused. Your log shows a deny to 10.205.41.165 but you mentioned that you are trying to http,ssh,telnet to 10.205.40.38. Is that correct? Can you ping 10.205.40.38 from 10.205.41.101?

santoshm_75 Mon, 02/09/2009 - 06:21
User Badges:

Hi,


Yes I can ping from 10.205.41.101 to 10.205.40.38, but when i telnet or ssh or http, it drops the connection.


Regards,

Tshi M Mon, 02/09/2009 - 06:28
User Badges:
  • Silver, 250 points or more

Could you please poste your firewall config? I am still a bit confused about the log since it is reporting deny to a different address and not 10.205.40.38.


regards,

Actions

This Discussion